I ran into an interesting problem while recently checking over my blog. I noticed that the RSS feed from the discussion forums was failing to load in the HTML footer of my blog. It was returning the error “RSS Error: WP HTTP ERROR: SSL connect error”. So I started digging into trying to figure out what had broken.

I quickly found that cURL was having issues connecting to https://forums.networkinfrastructure.info without any parameters;

Initially I thought I had a certificate issue, concerned that either the GEO Trust root certificate and/or intermediate RapidSSL SHA256 certificate might be missing from /etc/pki/tls/certs/ca-bundle.crt but I was able to quickly rule that problem out using the -k flag on cURL. I noticed that if I tell cURL to use TLS 1.2 then it can connect without issue;

So there’s some issue with cURL negotiating between SSLv3, TLS 1.0, TLS 1.1 and TLS 1.2. I turned to Google and found way to many bug reports and issues with how cURL tries to negotiate the transport layer security protocol. There’s a lengthy discussion regarding bug 1170339 concerning cURL’s default behavior on a RedHat/CentOS client and covers the exact scenario I’m experiencing.

I decided to turn my attention to the server configuration, perhaps I could find a quick fix in the server configuration, because a client fix might work for this specific client but would still be present for anyone else on the Internet using the same client software.

I restarted Nginx and then ran a quick test from Qualys SSL Labs to validate the changes and found that I needed to make an additional config tweak to close a Diffie-Hellman issue. With that complete I the server was now scoring an A from the Qualys SSL Lab testing and it was answering TLS 1.0 requests from cURL.